[johnnyt]

Phil

Thanks for the advice regarding the avenger. I'm going to be working away from tomorrow (Sunday) until probably a week on Monday.

I'm only letting you know because I won't be at this computer for the next week and I don't want you thinking that I'm not replying to you.

If its ok by you I'll follow your instructions on my return and post my results then...

So... congratulations... you've got a week off from me

Many thanks

[Advertisements]

I have a system which sends you a PM reminder after 10 days of inactivity, so 9 days is OK.

Enjoy your week.

[Crustyoldbloke]

I have a system which sends you a PM reminder after 10 days of inactivity, so 9 days is OK.

Enjoy your week.

[johnnyt]

Hi Phil

I've just run that Avenger program and here's the log...

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\trknyylv

*******************

Script file located at: \??\C:\Documents and Settings\dajvrvof.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\setup.exe deleted successfully.
File D:\setup.exe deleted successfully.


File E:\setup.exe not found!
Deletion of file E:\setup.exe failed!

Could not process line:
E:\setup.exe
Status: 0xc0000034



File F:\setup.exe not found!
Deletion of file F:\setup.exe failed!

Could not process line:
F:\setup.exe
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.


The reason it didn't find anything in F drive or E drive was because I had already deleted the setup.exe files from there manually.

They are gone at the moment by I'm sure they'll be back within the hour...

Many thanks

[Crustyoldbloke]

I guess I best hang on for a while to see what happens.

[johnnyt]

Sorry for the late reply. I've been working away again. The setup.exe and autorun.inf files are back! They disappeared for about twelve hours and then returned. A friend told me about the Virus Total website.

I've run setup.exe through the Virus Total website and here are the results...

AntiVir - no virus found
Authentium - W32/Methodbod.gen2
Avast - no virus found
AVG - no virus found
BitDefender - DeepScan:Generic.Horst.DCE2E387
CAT-QuickHeal - no virus found
ClamAV devel- - Trojan.Medbot-98
DrWeb - no virus found
eSafe - suspicious Trojan/Worm
eTrust-InoculateIT - no virus found
eTrust-Vet - no virus found
Ewido - no virus found
Fortinet - no virus found
F-Prot - W32/Methodbod.gen2
F-Prot4 - W32/Methodbod.gen2
Ikarus T - no virus found
Kaspersky - no virus found
McAfee - no virus found
Microsoft - no virus found
NOD32v2 - no virus found
Norman - W32/Horst.gen14
Panda - Suspicious file
Prevx1 - no virus found
Sophos - Mal/Behav-080
Sunbelt - no virus found
TheHacker - Trojan/Horst.gen
UNA - no virus found
VBA32 - MalwareScope.Trojan-Proxy.Horst.1
VirusBuster - no virus found

As you can see, a lot of the antivirus programs don't even recognise it....

Any ideas on my next move?

I'm working away again from today until next Tuesday so I won't be able to perform any actions on my system until then. I can't believe how hard this thing is to shift..! Are we running out of ideas or do you have some other tricks up your sleeve?

Many thanks

[Crustyoldbloke]

Hello again

For the files to reappear, they must have a sponsor elsewhere on your system or you are just being reinfected. Virus Total lists a few AV programmes that detect it as a Trojan, so the logical answer is, let's use one of those AV scanners to get rid of it, since it will know what other files to look for if it is being kept alive. So, download f-prot AV and perform a scan.

http://files.f-prot....s-x86-hc-en.msi

Just to give it a fair trial, please exit AVG AV when installing f-prot, so as to avoid any conflicts.

I will look forward to the result.

[johnnyt]

Phil

Sorry for the late reply. After my last post I had to leave as I was working away again. I've returned now (literally just walked in, made a brew and sat down in front of the computer). I'm downloading that AV program and will run it and then post back to you.

Thank you for your patience

[Crustyoldbloke]

OK, no problem.

[johnnyt]

Phil

I ran the scan last night and it successfully identified the "setup.exe" files as W32/Methodbod.gen2

I couldn't disinfect them so instead it quarantined them.

So, the setup.exe files are gone at the moment. I've just come online and I'm going to see if they return. Will let you know one way or another.

My only concern is that the setup.exe files were all it found in the way of virii on the computer. I wanted it to find whatever was causing the setup.exe files to appear in the first place... still I'll wait and see what happens.

Many thanks...

[Crustyoldbloke]

That's a pity because it hasn't moved us any further forwards.

Just an extra thought here, install MVPS hosts if you haven't already. It is just possible that a site you visit frequently may be re-infecting you.

[johnnyt]

What is MVPS hosts and where do I find it? I searched on Google and found a hosts file for Internet Explorer with a big list of banned sites.. is this what you mean? Or is MVPS hosts a program?

[Crustyoldbloke]

MVPS Hosts file This replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.

[johnnyt]

Phil

A strange thing has happened... the setup.exe files and autorun.inf files have returned but this time the setup.exe file is 0Kb in size. I've run it through the VirusTotal website and it isn't a virus, its obviously just an empty file called setup.exe ??????

I don't know whether this means the thing that was creating these files on my computer has gone... but then why would they come back at all if that was the case?

Any ideas what could have caused this?

Many thanks

[Crustyoldbloke]

Not a clue here. But it is good news.

If you were being re-infected by a drive-by from a website, perhaps the payload is no longer deliverable hence the 0KB size.

I suggest we wait 48 hours before hoisting flags.

[Crustyoldbloke]

Hello again

I have just been reading about a flash drive worm. This is a long shot, but worth a try. Please download and run: W32.Perlovga.Remover

Any change?